Seclog - #183

In this week's Seclog, the intersection of advanced cybersecurity threats and the rapidly evolving role of Artificial Intelligence in both offense and defense takes center stage. Several critical vulnerabilities were disclosed, including unauthenticated Remote Code Execution in popular platforms like Joomla JCE and Cisco CUCM, alongside a pre-authentication zero-click RCE in AnyDesk, emphasizing the persistent risk in widely deployed software. Alarmingly, new research provides concrete evidence of threat actors actively utilizing LLMs such as Claude and Codex to facilitate real-world company breaches, signaling a significant shift in adversarial tactics. In response, defensive AI innovations are emerging, with OpenAI launching new tools like Codex Security and Endor Labs introducing AURI Agents designed to automate vulnerability identification and AppSec remediation at scale. The news also covers sophisticated supply-chain compromises delivered through social engineering via fake job offers, and deep dives into memory safety bugs in PHP and critical cryptographic flaws affecting major libraries, underscoring the complex and multi-faceted challenges security professionals face across infrastructure and development lifecycles.

📚 SecMisc #

Bash HTTP Requests Without Curl - mareksuppa.com

This technique demonstrates how to perform HTTP requests in environments where standard tools like curl are absent, utilizing basic /dev/tcp functionality in Bash. This is particularly useful for red team operations or in highly restricted containerized environments to establish C2 or exfiltrate data.

Swift Language in Apple Kernel - blog.calif.io

This article delves into the technical implications of integrating Swift, a memory-safe language, into the Apple kernel. This move promises potential security benefits by reducing common memory-related vulnerabilities but also introduces new complexities and potential attack surface considerations for kernel development.

📰 SecLinks #

Claude Fable 5 System Prompt Disclosed - aiengineerguide.com

The system prompt for Anthropic's Claude Fable 5, a "Mythos-class" model, reveals its internal directives, including extensive safety measures and copyright compliance mechanisms. It details artifact storage capabilities with a key-value system and external tool call logic requiring MCP registry checks, providing insight into its operational security and integration points.

Gogs Reverse Proxy Auth Bypass - tenable.com

A critical authentication bypass vulnerability exists in Gogs when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, allowing unvalidated X-WEBAUTH-USER headers directly from clients. This flaw enables remote attackers to impersonate any user or trigger automatic account creation, completely bypassing configured authentication mechanisms.

Joomla JCE Unauthenticated RCE Critical - yeswehack.com

CVE-2026-48907 is a critical pre-authentication Remote Code Execution (RCE) vulnerability found in the Joomla Content Editor (JCE) extension. The existence of public proof-of-concept (PoC) and detailed exploit flow analysis necessitates immediate patching for all affected Joomla installations to prevent severe compromise.

Improving Continuous PR Security Review - projectdiscovery.io

This post highlights the difficulty of identifying security flaws during Pull Request (PR) review, particularly for issues that manifest only at runtime, such as missing permission checks on new API endpoints. It advocates for advanced continuous security review processes that go beyond static analysis to capture behavioral security issues before they reach production.

AI Agents Automate AppSec Remediation - blog.ogwilliam.com

Endor Labs' AURI Agents are introduced as an AI-powered solution to address the persistent AppSec backlog, leveraging open-source plugins for LLMs like Claude, Cursor, and Codex. These agents aim to automate remediation tasks, offering defenders a way to significantly improve efficiency in managing and fixing application security vulnerabilities.

Hackers Leverage Claude, Codex for Breaches - research.openanalysis.net

Captured logs from a compromised honeypot reveal unprecedented evidence of threat actors actively utilizing AI models like Claude and Codex to execute real-world intrusions. This research provides critical insight into how LLMs are being weaponized for red teaming and hacking, demonstrating a new and evolving TTP for cybercriminals.

PHP mb_substr() Size_t Underflow - fereidani.com

A size_t underflow vulnerability in PHP 8.5.7's mb_substr() function, specifically with the 'SJIS-mac' encoding, is caused by bypassing an early empty return guard. This flaw allows execution to fall through to mb_get_substr_slow(), potentially leading to memory corruption, denial-of-service, or remote code execution.

PHP FILTER_SANITIZE_ENCODED Uninitialized Read - fereidani.com

PHP 8.5.7 contains an uninitialized read vulnerability in the php_filter_encode_url function within ext/filter/sanitizing_filters.c. This occurs because the 255th byte of a transient array remains uninitialized after memset(tmp, 1, sizeof(tmp) - 1), potentially leading to information disclosure or unpredictable behavior.

Schneier on AI Export Controls - schneier.com

Bruce Schneier criticizes the US government's classification of Anthropic's Fable AI as a dangerous munition and subsequent export control, arguing it's an ineffective approach. He posits that the core issue lies in the general trend of increasing AI capabilities, not specific models, and emphasizes the need for collective action over isolated restrictions to truly address AI's societal implications.

Critical Ciphertext Formatting Crypto Bug - blog.calif.io

A significant cryptographic vulnerability related to ciphertext formatting has been identified, impacting widely used libraries including OpenSSL, wolfSSL, Bouncy Castle, and GnuPG. Such a flaw can lead to severe consequences like plaintext recovery, signature forgery, or denial-of-service attacks against systems relying on these fundamental cryptographic implementations.

Auth0 Defaults Lead to XSS - elttam.com

This research details how insecure default configurations within the Auth0 identity platform can be exploited to facilitate Cross-Site Scripting (XSS) attacks. Security professionals should review their Auth0 implementations to ensure that default settings are hardened to prevent common XSS vectors from being abused.

Security Context for Vulnerability Discovery - securitycontext.dev

The "Security Context" concept proposes leveraging a repository's historical fix data and disclosed CVEs to provide intelligent agents with relevant information for vulnerability discovery. This approach aims to enhance automated security tools by feeding them a deeper understanding of past vulnerabilities, improving their effectiveness in finding new flaws.

Fake Job Offer NPM Info-Stealer - aydinnyunus.github.io

A social engineering campaign disguised as a freelance job offer utilized a typosquatted npm package (pretie_x1) within a malicious ZIP file. The package deployed a multi-stage, AES-encrypted info-stealer designed to exfiltrate critical data, including browser credentials, crypto wallets, SSH keys, and OS login passwords, highlighting a severe software supply-chain threat.

OpenAI Launches AI Security Tools - openai.com

OpenAI has introduced new "Daybreak" security tools, including Codex Security and GPT-5.5-Cyber, designed to help organizations find, validate, and patch vulnerabilities. This initiative marks OpenAI's entry into defensive cybersecurity, leveraging advanced AI capabilities to scale vulnerability management and enhance organizational security postures.

Cisco CUCM Unauthenticated RCE - ssd-disclosure.com

A critical vulnerability in Cisco Unified Communications Manager (CUCM) allows unauthenticated attackers to perform arbitrary file writes, directly leading to Remote Code Execution (RCE). This severe flaw (CVE-2026-20230) impacts essential enterprise communication infrastructure and requires immediate patching as per vendor advisory.

🐦 SecX #

AnyDesk Preauth 0-Click RCE - x.com

An announcement for "AnyPwn," a pre-authentication, zero-click Remote Code Execution (RCE) vulnerability in AnyDesk, described as a heap buffer overflow. A Proof-of-Concept (PoC) for this highly critical flaw in the widely used remote desktop application is slated for release post-disclosure and vendor patching.

🎥 SecVideo #

Hacking Broken Access Control for Profit - youtube.com

This video details a real-world example of exploiting Broken Access Control vulnerabilities, a common web security flaw, to achieve significant financial gains through bug bounty programs. It provides practical insights and methodologies for identifying and exploiting misconfigured access controls within web applications.

💻 SecGit #

Bumblebee Scans for Supply-Chain Exposure - github.com

PerplexityAI's Bumblebee is a read-only scanner designed to check for exposure to known software supply-chain compromises by analyzing on-disk package, extension, and developer-tool metadata. This tool offers a proactive defense mechanism for identifying compromised software components and ensuring the integrity of development environments.

Authorization Replay Tool Stargazed - github.com

The bscript/authz-replay repository, a tool likely designed for authorization replay, has been starred, indicating growing interest in techniques for testing access control mechanisms. Authorization replay is a crucial method for identifying Broken Access Control vulnerabilities by replaying requests with different user contexts to uncover privilege escalation opportunities.

Threat Tiger Modeling Tool Released - github.com

Threat Tiger is introduced as a modern threat modeling tool, providing a structured approach for identifying potential security threats and vulnerabilities early in the development lifecycle. This open-source project offers a valuable resource for security teams to integrate proactive threat analysis into their software development processes.